On Fri, Aug 23, 2013 at 6:43 PM, Risker risker.wp@gmail.com wrote:
Well, I'm not terribly technical, but I don't think there's ever been consideration of linking login requirements to user permissions. Perhaps that needs to change. I'm concerned too.
Unfortunately it's very difficult to do this. On our login forms you enter your username and password simultaneously, which means the server can't possibly know if the user has to be using HTTPS until they've already submitted their password, thus defeating the purpose. That's why $wgSecureLogin is made to *always* put logins over HTTPS, no matter what, and then direct the user to the appropriate protocol afterwards.
*-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science www.whizkidztech.com | tylerromeo@gmail.com